Enterprise security in meters

ABSTRACT

The present disclosure provides for enterprise security in intelligent electronic devices such as electric power meters. In accordance with the present disclosure, enterprise security is a security system in which each individual device, instead of configuring and storing security configurations locally, use a security server for security verifications. Such a security server of the present disclosure may be a dedicated computer on a network, that is used to manage the security configuration for all users. This makes it simpler for administrators to configure users and devices, which in turn improves security by encouraging security to be properly configured.

PRIORITY

This application claims priority to U.S. Provisional Patent ApplicationSerial No. 62/858,586, filed Jun. 7, 2019, the contents of which arehereby incorporated by reference in its entirety.

BACKGROUND Field

The present disclosure relates generally to intelligent electronicdevices (IEDs) and, in particular, to devices, systems and methods forproviding security in intelligent electronic devices, for example,meters, protective relays, programmable logic controllers (PLCs) and thelike.

Description of the Related Art

Monitoring of electrical energy by consumers and providers of electricpower is a fundamental function within any electric power distributionsystem. Electrical energy may be monitored for purposes of usage,equipment performance and power quality. Electrical parameters that maybe monitored include volts, amps, watts, vars, power factor, harmonics,kilowatt hours, kilovar hours and any other power related measurementparameters. Typically, measurement of the voltage and current at alocation within the electric power distribution system may be used todetermine the electrical parameters for electrical energy flowingthrough that location.

Devices that perform monitoring of electrical energy may beelectromechanical devices, such as, for example, a residential billingmeter or may be an intelligent electronic device (“IED”). Intelligentelectronic devices typically include some form of a processor. Ingeneral, the processor is capable of using the measured voltage andcurrent to derive the measurement parameters. The processor operatesbased on a software configuration. A typical consumer or supplier ofelectrical energy may have many intelligent electronic devices installedand operating throughout their operations. IEDs may be positioned alongthe supplier's distribution path or within a customer's internaldistribution system. IEDs include revenue electric watt-hour meters,protection relays, programmable logic controllers, remote terminalunits, fault recorders and other devices used to monitor and/or controlelectrical power distribution and consumption. IEDs are widely availablethat make use of memory and microprocessors to provide increasedversatility and additional functionality. Such functionality includesthe ability to communicate with remote computing systems, either via adirect connection, e.g., a modem, a wireless connection or a network.IEDs also include legacy mechanical or electromechanical devices thathave been retrofitted with appropriate hardware and/or software allowingintegration with the power management system.

Typically, an IED is associated with a particular load or set of loadsthat are drawing electrical power from the power distribution system.The IED may also be capable of receiving data from or controlling itsassociated load. Depending on the type of IED and the type of load itmay be associated with, the IED implements a power management functionthat is able to respond to a power management command and/or generatepower management data. Power management functions include measuringpower consumption, controlling power distribution such as a relayfunction, monitoring power quality, measuring power parameters such asphasor components, voltage or current, controlling power generationfacilities, computing revenue, controlling electrical power flow andload shedding, or combinations thereof.

Security in meters has been a traditionally overlooked feature in thepower industry. Historically, this has been due to meters primarilybeing installed on serial networks, or only accessible by hand heldreaders. However, as networks become more connected, and devices moreadvanced, so too does the risk of a meter being compromised.

When security is implemented in meters, it is often a simple numericpassword, and often providing complete access to the device. However,even when a more complex password is allowed, users will often still usesimple passwords anyway; or even worse, they configure all meters on anetwork with the same password, which allows the compromise of one meterto allow the compromise of all meters.

SUMMARY

The present disclosure provides for enterprise security in intelligentelectronic devices such as electric power meters. In accordance with thepresent disclosure, enterprise security is a security system in whicheach individual device, instead of configuring and storing securityconfigurations locally, use a security server for securityverifications. Such a security server of the present disclosure may be adedicated computer on a network, that is used to manage the securityconfiguration for all users. This makes it simpler for administrators toconfigure users and devices, which in turn improves security byencouraging security to be properly configured.

Additionally, since users and devices are all managed in one place, therisk of using a single password on all devices can be mitigated, byallowing users to use the same login across all meters. Users are thenencouraged to use more complex passwords, since the users don't have tomemorize hundreds or thousands of passwords; and if a user/password iscompromised, all the devices can have their security configurationchanged simultaneously, rather than tediously reconfiguring each one.

Enterprise security servers may be used to manage a range of existingdevices, such as PC's, Routers, Switches, Servers, etc. One example ofan enterprise security server would be a Windows Domain Controller;another would be a Remote Authentication Dial-in User Service (RADIUS)server, often used with Wi-Fi Protected Access (WPA)-Enterprise enabledWi-Fi Routers. Such an enterprise security server may also allow metersto use a Federated Identity, where a single identity may be used by auser to log in to multiple services, such as a domain, a meter, andtheir PC.

In one aspect of the present disclosure, a system is provided includinga network for coupling devices and enabling the transmission of databetween the devices; at least one security server coupled to the networkincluding a first memory, the first memory configured to store securityconfigurations for a plurality of meters; and the plurality of meters,each meter of the plurality of meters including: a communication devicefor coupling the meter to the network and receiving the securityconfiguration for the meter, and a second memory for storing thesecurity configuration in a local database.

In one aspect, the first memory further includes a mapping of each meterto security credentials of individual users.

In another aspect, the communication device of each meter is configuredto pull the security configuration from the security server without thesecurity server knowing the network address of the meter.

In a further aspect, the security server sends a notification to eachmeter when a security configuration has changes and the meter pulls thechanged security configuration after receiving the notification.

In another aspect, the notification is sent via at least one of a Modbuscommand and/or a HTTP POST command.

In one aspect, the notification is broadcast as a UDP (user datagramprotocol) message to the plurality of meters.

In still another aspect, the security configuration for each meterincludes a device profile for the meter, the device profile includingsecurity and non-security parameters.

In a further aspect, the device profile is configured via a LightweightDirectory Access Protocol (LDAP) setting profile of the meter.

In one aspect, the security configuration is a single list of usercredentials applicable to each meter.

In another aspect, the list identifies which specific meter of theplurality of meters a specific user has access to.

In yet another aspect, the security configuration includes a pluralityof users arranged in at least one group, access permissions to theplurality of meters being based on the at least one group.

In another aspect, the at least one groups is configured via WindowsActive Directories and features of the meter are managed as ActiveDirectory objects.

In a further aspect, the communication device transmits a security eventto the security server for storage in a log.

In another aspect, the security event is transmitted via a LightweightDirectory Access Protocol (LDAP).

In one aspect, the log is fed into a security information and eventmanagement (SIEM) system for analysis, wherein the SIEM system generatesan alert based on at least one of when a specified event is detected, athreshold of event occurrences has been exceeded and/or a combination ofevents has occurred.

In another aspect, the log is fed into an intrusion detection system(IDS) for analysis, wherein the IDS system generates an alert basedevents indicative of an intrusion by an attacker.

In another aspect of the present disclosure, an electric power meterincludes at least one sensor coupled an electrical power distributionsystem, the at least one sensor configured to measure at least oneparameter of the electrical power distribution system and generate atleast one analog signal indicative of the at least one parameter; atleast one analog-to-digital converter configured to receive the at leastone analog signal and convert the at least one analog signal to at leastone digital signal; at least one processor configured to receive the atleast one digital signal and calculate at least one power parameter ofthe electrical power distribution system; and a communication device forcoupling the meter to a network, querying a security server for usercredentials upon a user attempting to log into the meter and retrievingthe user credentials, wherein the at least one processor compares theretrieved user credentials to credentials used in the log in attempt togrant access to the meter.

In another aspect, the at least one processor caches the retrieved usercredentials in a memory of the meter and requeries the security serverupon the retrieved user credentials expiring.

In one aspect, the at least one processor limits the number of usercredentials stored in the memory.

In another aspect, the at least one processor transmits a security eventto the security server for storage in a log.

In a further aspect, the security event is transmitted via a LightweightDirectory Access Protocol (LDAP).

In a further aspect of the present disclosure, a method forauthenticating a meter includes generating a first certificate for themeter; receiving the first certificate at the meter; generating a secondcertificate at the meter; generating a private key and a public key atthe meter based on the second certificate; and transmitting the publickey to a security server.

In one aspect, the method further includes generating a message to betransmitted to the security server; computing a hash value of themessage; generating a signature using the private key; and transmittinga combined message to the security server, the combined messageincluding the message, the hash and the signature, wherein the securityserver verifies the signature and hash to authenticate the message camefrom a valid meter.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects, features and advantages of the presentdisclosure will be apparent from a consideration of the followingDetailed Description considered in conjunction with the drawing Figures,in which:

FIG. 1 is a block diagram of an intelligent electronic device (IED),according to an embodiment of the present disclosure.

FIGS. 2A-2H illustrate exemplary form factors for an intelligentelectronic device (IED) in accordance with an embodiment of the presentdisclosure.

FIG. 3 illustrates an environment in which the present disclosure may beutilized.

FIG. 4 illustrates a security configuration where credentials for eachuser are configured individually in each meter.

FIG. 5 illustrates a security configuration where credentials for eachuser are configured from a single interface in accordance with thepresent disclosure.

FIG. 6 illustrates a centralized security system in accordance with anembodiment of the present disclosure.

FIG. 7 illustrates a centralized security system in accordance withanother embodiment of the present disclosure.

FIG. 8A illustrates an authentication system using certificates inaccordance with an embodiment of the present disclosure.

FIG. 8B illustrates an authentication method using certificates inaccordance with an embodiment of the present disclosure.

FIG. 9 is a block diagram of an exemplary computing device in accordancewith an embodiment of the present disclosure.

DETAILED DESCRIPTION

Embodiments of the present disclosure will be described herein belowwith reference to the accompanying drawings. In the followingdescription, well-known functions or constructions are not described indetail to avoid obscuring the present disclosure in unnecessary detail.The word “exemplary” is used herein to mean “serving as an example,instance, or illustration.” Any configuration or design described hereinas “exemplary” is not necessarily to be construed as preferred oradvantageous over other configurations or designs. Herein, the phrase“coupled” is defined to mean directly connected to or indirectlyconnected with through one or more intermediate components. Suchintermediate components may include both hardware and software basedcomponents.

It is further noted that, unless indicated otherwise, all functionsdescribed herein may be performed in either hardware or software, orsome combination thereof. In one embodiment, however, the functions areperformed by at least one processor, such as a computer or an electronicdata processor, digital signal processor or embedded micro-controller,in accordance with code, such as computer program code, software, and/orintegrated circuits that are coded to perform such functions, unlessindicated otherwise.

It should be appreciated that the present disclosure can be implementedin numerous ways, including as a process, an apparatus, a system, adevice, a method, or a computer readable medium such as a computerreadable storage medium or a computer network where program instructionsare sent over optical or electronic communication links.

Embodiments of the present disclosure will be described herein belowwith reference to the accompanying drawings.

As used herein, intelligent electronic devices (“IEDs”) can be anydevice that senses electrical parameters and computes data including,but not limited to, Programmable Logic Controllers (“PLC's”), RemoteTerminal Units (“RTU's”), electric power meters, panel meters,protective relays, fault recorders, phase measurement units, serialswitches, smart input/output devices and other devices which are coupledwith power distribution networks to manage and control the distributionand consumption of electrical power. A meter is a device that recordsand measures power events, power quality, current, voltage waveforms,harmonics, transients and other power disturbances. Revenue accuratemeters (“revenue meter”) relate to revenue accuracy electrical powermetering devices with the ability to detect, monitor, report, quantifyand communicate power quality information about the power that they aremetering.

FIG. 1 is a block diagram of an intelligent electronic device (IED) 100for monitoring and determining power usage and power quality for anymetered point within a power distribution system and for providing adata transfer system for faster and more accurate processing of revenueand waveform analysis.

The IED 100 of FIG. 1 includes a plurality of sensors 112 coupled tovarious phases A, B, C and neutral N of an electrical distributionsystem 111, a plurality of analog-to-digital (A/D) converters 114,including inputs coupled to the sensor 112 outputs, a power supply 116,a volatile memory 118, an non-volatile memory 120, a multimedia userinterface 122, and a processing system that includes at least onecentral processing unit (CPU) 150 (or host processor) and/or one or moredigital signal processors, two of which are shown, i.e., DSP1 160 andDSP2 170. The IED 100 also includes a Field Programmable Gate Array 180which performs a number of functions, including, but not limited to,acting as a communications gateway for routing data between the variousprocessors 150, 160, 170, receiving data from the A/D converters 114performing transient detection and capture and performing memorydecoding for CPU 150 and the DSP processor 160. In one embodiment, theFPGA 80 is internally comprised of two dual port memories to facilitatethe various functions. It is to be appreciated that the variouscomponents shown in FIG. 1 are contained within housing 190. Exemplaryhousings will be described below in relation to FIGS. 2A-2H.

The plurality of sensors 112 sense electrical parameters, e.g., voltageand current, on incoming lines (i.e., phase A, phase B, phase C, neutralN) of an electrical power distribution system 111 e.g., an electricalcircuit, that are coupled to at least one load 113 that consumes thepower provided. In one embodiment, the sensors 112 will include currenttransformers and potential transformers, wherein one current transformerand one voltage transformer will be coupled to each phase of theincoming power lines. A primary winding of each transformer will becoupled to the incoming power lines and a secondary winding of eachtransformer will output a voltage representative of the sensed voltageand current. The output of each transformer will be coupled to the A/Dconverters 114 configured to convert the analog output voltage from thetransformer to a digital signal that can be processed by the CPU 150,DSP1 160, DSP2 170, FPGA 180 or any combination thereof.

A/D converters 114 are respectively configured to convert an analogvoltage output to a digital signal that is transmitted to a gate array,such as Field Programmable Gate Array (FPGA) 180. The digital signal isthen transmitted from the FPGA 180 to the CPU 150 and/or one or more DSPprocessors 160, 170 to be processed in a manner to be described below.

The CPU 150 or DSP Processors 160, 170 are configured to operativelyreceive digital signals from the A/D converters 114 (see FIG. 1 ) toperform calculations necessary to determine power usage and to controlthe overall operations of the IED 100. In some embodiments, CPU 150,DSP1 160 and DSP2 170 may be combined into a single processor, servingthe functions of each component. In some embodiments, it is contemplatedto use an Erasable Programmable Logic Device (EPLD) or a ComplexProgrammable Logic Device (CPLD) or any other programmable logic devicein place of the FPGA 180. In some embodiments, the digital samples,which are output from the A/D converters 114 are sent directly to theCPU 150 or DSP processors 160, 170, effectively bypassing the FPGA 180as a communications gateway.

The power supply 116 provides power to each component of the IED 100. Inone embodiment, the power supply 116 is a transformer with its primarywindings coupled to the incoming power distribution lines and havingwindings to provide a nominal voltage, e.g., 5VDC, +12VDC and −12VDC, atits secondary windings. In other embodiments, power may be supplied froman independent power source to the power supply 116. For example, powermay be supplied from a different electrical circuit or anuninterruptible power supply (UPS).

In one embodiment, the power supply 116 can be a switch mode powersupply in which the primary AC signal will be converted to a form of DCsignal and then switched at high frequency, such as, for example, 100Khz, and then brought through a transformer to step the primary voltagedown to, for example, 5 Volts AC. A rectifier and a regulating circuitwould then be used to regulate the voltage and provide a stable DC lowvoltage output. Other embodiments, such as, but not limited to, linearpower supplies or capacitor dividing power supplies are alsocontemplated.

The multimedia user interface 122 is shown coupled to the CPU 150 inFIG. 1 for interacting with a user and for communicating events, such asalarms and instructions to the user. The multimedia user interface 122may include a display for providing visual indications to the user. Thedisplay may be embodied as a touch screen, a liquid crystal display(LCD), a plurality of LED number segments, individual light bulbs or anycombination. The display may provide information to the user in the formof alpha-numeric lines, computer-generated graphics, videos, animations,etc. The multimedia user interface 122 further includes a speaker oraudible output means for audibly producing instructions, alarms, data,etc. The speaker is coupled to the CPU 150 via a digital-to-analogconverter (D/A) for converting digital audio files stored in a memory118 or non-volatile memory 120 to analog signals playable by thespeaker.

The IED 100 will support various file types including but not limited toMicrosoft Windows Media Video files (.wmv), Microsoft Photo Story files(.asf), Microsoft Windows Media Audio files (.wma), MP3 audio files(.mp3), JPEG image files (.jpg, .jpeg, .jpe, .jfif), MPEG movie files(.mpeg, .mpg, .mpe, .m1v, .mp2v .mpeg2), Microsoft Recorded TV Showfiles (.dvr-ms), Microsoft Windows Video files (.avi) and MicrosoftWindows Audio files (.wav).

The IED 100 further comprises a volatile memory 118 and a non-volatilememory 120. In addition to storing audio and/or video files, volatilememory 118 will store the sensed and generated data for furtherprocessing and for retrieval when called upon to be displayed at the IED100 or from a remote location. The volatile memory 118 includes internalstorage memory, e.g., random access memory (RAM), and the non-volatilememory 120 includes removable memory such as magnetic storage memory;optical storage memory, e.g., the various types of CD and DVD media;solid-state storage memory, e.g., a CompactFlash card, a Memory Stick,SmartMedia card, MultiMediaCard (MMC), SD (Secure Digital) memory; orany other memory storage that exists currently or will exist in thefuture. By utilizing removable memory, an IED can be easily upgraded asneeded. Such memory will be used for storing historical trends, waveformcaptures, event logs including time-stamps and stored digital samplesfor later downloading to a client application, web-server or PCapplication.

In a further embodiment, the IED 100 will include a communication device124, also know as a network interface, for enabling communicationsbetween the IED or meter, and a remote terminal unit, programmable logiccontroller and other computing devices, microprocessors, a desktopcomputer, laptop computer, other meter modules, etc. The communicationdevice 124 may be a modem, network interface card (NIC), wirelesstransceiver, etc. The communication device 124 will perform itsfunctionality by hardwired and/or wireless connectivity. The hardwireconnection may include but is not limited to hard wire cabling e.g.,parallel or serial cables, RS232, RS485, USB cable, Firewire (1394connectivity) cables, Ethernet, and the appropriate communication portconfiguration. The wireless connection may operate under any of thevarious wireless protocols including but not limited to Bluetooth™interconnectivity, infrared connectivity, radio transmissionconnectivity including computer digital signal broadcasting andreception commonly referred to as Wi-Fi or 802.11.X (where x denotes thetype of transmission), satellite transmission or any other type ofcommunication protocols, communication architecture or systems currentlyexisting or to be developed for wirelessly transmitting data includingspread spectrum 900 MHz, or other frequencies, Zigbee, WiFi, or any meshenabled wireless communication.

The IED 100 may communicate to a server or other computing device viathe communication device 124. The IED 100 may be connected to acommunications network, e.g., the Internet, by any means, for example, ahardwired or wireless connection, such as dial-up, hardwired, cable,DSL, satellite, cellular, PCS, wireless transmission (e.g.,802.11a/b/g), etc. It is to be appreciated that the network may be alocal area network (LAN), wide area network (WAN), the Internet or anynetwork that couples a plurality of computers to enable various modes ofcommunication via network messages. Furthermore, the server willcommunicate using various protocols such as Transmission ControlProtocol/Internet Protocol (TCP/IP), File Transfer Protocol (FTP),Hypertext Transfer Protocol (HTTP), etc. and secure protocols such asHypertext Transfer Protocol Secure (HTTPS), Internet Protocol SecurityProtocol (IPSec), Point-to-Point Tunneling Protocol (PPTP), SecureSockets Layer (SSL) Protocol, etc. The server may further include astorage medium for storing a data received from at least one IED ormeter and/or storing data to be retrieved by the IED or meter.

In an additional embodiment, the IED 100 may also have the capability ofnot only digitizing waveforms, but storing the waveform and transferringthat data upstream to a central computer, e.g., a remote server, when anevent occurs such as a voltage surge or sag or a current short circuit.This data may be triggered and captured on an event, stored to memory,e.g., non-volatile RAM, and additionally transferred to a host computerwithin the existing communication infrastructure either immediately inresponse to a request from a remote device or computer to receive saiddata in response to a polled request. The digitized waveform will alsoallow the CPU 150 to compute other electrical parameters such asharmonics, magnitudes, symmetrical components and phasor analysis. Usingthe harmonics, the IED 100 will also calculate dangerous heatingconditions and can provide harmonic transformer derating based onharmonics found in the current waveform.

In a further embodiment, the IED 100 will execute an e-mail client andwill send e-mails to the utility or to the customer direct on anoccasion that a power quality event occurs. This allows utilitycompanies to dispatch crews to repair the condition. The data generatedby the meters are used to diagnose the cause of the condition. The datais transferred through the infrastructure created by the electricalpower distribution system. The email client will utilize a POP3 or otherstandard mail protocol. A user will program the outgoing mail server andemail address into the meter. An exemplary embodiment of said meteringis described in U.S. Pat. No. 6,751,563, which all contents thereof areincorporated by reference herein.

The techniques of the present disclosure can be used to automaticallymaintain program data and provide field wide updates upon which IEDfirmware and/or software can be upgraded. An event command can be issuedby a user, on a schedule or by digital communication that will triggerthe IED 100 to access a remote server and obtain the new program code.This will ensure that program data will also be maintained allowing theuser to be assured that all information is displayed identically on allunits.

It is to be understood that the present disclosure may be implemented invarious forms of hardware, software, firmware, special purposeprocessors, or a combination thereof. The IED 10 also includes anoperating system and micro instruction code. The various processes andfunctions described herein may either be part of the micro instructioncode or part of an application program (or a combination thereof) whichis executed via the operating system.

It is to be further understood that because some of the constituentsystem components and method steps depicted in the accompanying figuresmay be implemented in software, or firmware, the actual connectionsbetween the system components (or the process steps) may differdepending upon the manner in which the present disclosure is programmed.Given the teachings of the present disclosure provided herein, one ofordinary skill in the related art will be able to contemplate these andsimilar implementations or configurations of the present disclosure.

Furthermore, it is to be appreciated that the components and devices ofthe IED 10 of FIG. 1 may be disposed in various housings depending onthe application or environment. For example, the IED 100 may beconfigured as a panel meter 200 as shown in FIG. 2A an 2B. The panelmeter 200 of FIGS. 2A and 2B is described in more detail in commonlyowned U.S. Pat. No. 7,271,996, the contents of which are herebyincorporated by reference. As seen in FIGS. 2A and 2B, the IED 200includes a housing 202 defining a front surface 202 a, a rear surface202 b, a top surface 202 c, a bottom surface 202 d, a right side surface202 e, and a left side surface (not shown). Electrical device 200includes a face plate 204 operatively connected to front surface 202 aof housing 202. Face plate 204 includes displays 206, indicators 208(e.g., LEDs and the like), buttons 210, and the like providing a userwith an interface for visualization and operation of electrical device200. For example, as seen in FIG. 2A, face plate 204 of electricaldevice 200 includes analog and/or digital displays 206 capable ofproducing alphanumeric characters. Face plate 204 includes a pluralityof indicators 208 which, when illuminated, indicate to the user the“type of reading”, the “% of load bar”, the “parameter designation”which indicates the reading which is being displayed on displays 206, a“scale selector” (e.g., Kilo or Mega multiplier of Displayed Readings),etc. Face plate 204 includes a plurality of buttons 210 (e.g., a “menu”button, an “enter” button, a “down” button, a “right” button, etc.) forperforming a plurality of functions, including and not limited to:viewing of meter information; enter display modes; configuringparameters; performing re-sets; performing LED checks; changingsettings; viewing parameter values; scrolling parameter values; andviewing limit states. The housing 202 includes voltage connections orinputs 212 provided on rear surface 202 b thereof, and current inputs214 provided along right side surface 202 e thereof. The IED 200 mayinclude a first interface or communication port 216 for connection to amaster and/or slave device. Desirably, first communication port 216 issituated in rear surface 202 b of housing 202. IED 200 may also includea second interface or communication port 218 situated on face plate 204.

In other embodiment, the IED 100 may be configured as a socket meter220, also known as a S-base type meter or type S meter, as shown in FIG.2C an 2D. An exemplary socket meter is described in more detail incommonly owned U.S. Pat. No. 8,717,007, the contents of which are herebyincorporated by reference. Referring to FIGS. 2C and 2D, the meter 220includes a main housing 222 surrounded by a cover 224. The cover 224 ispreferably made of a clear material to expose a display 226 disposed onthe main body 222. An interface 228 to access the display and acommunication port 230 is also provided and accessible through the cover224. The meter 220 further includes a plurality of current terminals 232and voltage terminals 234 disposed on backside of the meter extendingthrough a base 235. The terminals 232, 234 are designed to mate withmatching jaws of a detachable meter-mounting device, such as a revenuemeter socket. The socket is hard wired to the electrical circuit and isnot meant to be removed. To install an S-base meter, the utility needonly plug in the meter into the socket. Once installed, a socket-sealingring 236 is used as a seal between the meter 220 and/or cover 224 andthe meter socket to prevent removal of the meter and to indicatetampering with the meter.

In a further embodiment, the IED 100 of FIG. 1 may be disposed in aswitchboard or draw-out type housing 240 as shown in FIGS. 2E and 2F,where FIG. 2E is a front view and FIG. 2F is a rear view. Theswitchboard enclosure 242 usually features a cover 244 with atransparent face 246 to allow the meter display 248 to be read and theuser interface 250 to be interacted with by the user. The cover 244 alsohas a sealing mechanism (not shown) to prevent unauthorized access tothe meter. A rear surface 252 of the switchboard enclosure 242 providesconnections for voltage and current inputs 254 and for variouscommunication interfaces 256. Although not shown, the meter disposed inthe switchboard enclosure 242 may be mounted on a draw-out chassis whichis removable from the switchboard enclosure 242. The draw-out chassisinterconnects the meter electronics with the electrical circuit. Thedraw-out chassis contains electrical connections which mate withmatching connectors 254, 256 disposed on the rear surface 252 of theenclosure 242 when the chassis is slid into place.

In yet another embodiment, the IED 100 of FIG. 1 may be disposed in anA-base or type A housing as shown in FIGS. 2G and 2H. A-base meters 260feature bottom connected terminals 262 on the bottom side of the meterhousing 264. These terminals 262 are typically screw terminals forreceiving the conductors of the electric circuit (not shown). A-basemeters 260 further include a meter cover 266, meter body 268, a display270 and input/output means 272. Further, the meter cover 266 includes aninput/output interface 274. The cover 266 encloses the meter electronics268 and the display 270. The cover 266 has a sealing mechanism (notshown) which prevents unauthorized tampering with the meter electronics.

It is to be appreciated that other housings and mounting schemes, e.g.,circuit breaker mounted, are contemplated to be within the scope of thepresent disclosure.

FIG. 3 illustrates an exemplary environment 300 in which the presentdisclosure may be practiced. The environment 300 includes at least oneIED 310, 312, 314 and at least one computing device, e.g., servers 324,326, 340, clients 328, etc. The network 302 may be the Internet, apublic or private intranet, an extranet, wide area network (WAN), localarea network (LAN) or any other network configuration to enable transferof data and commands. An example network configuration uses theTransport Control Protocol/Internet Protocol (“TCP/IP”) network protocolsuite, however, other Internet Protocol based networks are contemplatedby the present disclosure. Communications may also include IP tunnelingprotocols such as those that allow virtual private networks couplingmultiple intranets or extranets together via the Internet. The network302 may support existing or envisioned application protocols, such as,for example, telnet, POP3, Mime, HTTP, HTTPS, PPP, TCP/IP, SMTP,proprietary protocols, or any other network protocols. During operation,the IED(s) may communicate using the network 302 as will be hereinafterdiscussed.

It is to be appreciated that are at least two basic types of networks,based on the communication patterns between the machines: client/servernetworks and peer-to-peer networks. On a client/server network, everycomputer, device or IED has a distinct role: that of either a client ora server. A server is designed to share its resources among the clientcomputers on the network. A dedicated server computer often has fasterprocessors, more memory, and more storage space than a client because itmight have to service dozens or even hundreds of users at the same time.High-performance servers typically use from two to eight processors (andthat's not counting multi-core CPUs), have many gigabytes of memoryinstalled, and have one or more server-optimized network interface cards(NICs), RAID (Redundant Array of Independent Drives) storage consistingof multiple drives, and redundant power supplies. Servers often run aspecial network OS—such as Windows Server, Linux, or UNIX—that isdesigned solely to facilitate the sharing of its resources. Theseresources can reside on a single server or on a group of servers. Whenmore than one server is used, each server can “specialize” in aparticular task (file server, print server, fax server, email server,and so on) or provide redundancy (duplicate servers) in case of serverfailure. For demanding computing tasks, several servers can act as asingle unit through the use of parallel processing. A client devicetypically communicates only with servers, not with other clients. Aclient system may be a standard PC that is running an OS such asWindows, Linux, etc. Current OSes contain client software that enablesthe client computers to access the resources that servers share. OlderOSes, such as Windows 3.x and DOS, required add-on network clientsoftware to join a network. By contrast, on a peer-to-peer network,every computer or device is equal and can communicate with any othercomputer or device on the network to which it has been granted accessrights. Essentially, every computer or device on a peer-to-peer networkcan function as both a server and a client; any computer or device on apeer-to-peer network is considered a server if it shares a printer, afolder, a drive, or some other resource with the rest of the network.Note that the actual networking hardware (interface cards, cables, andso on) is the same in client/server versus peer-to-peer networks, it isonly the logical organization, management and control of the networkthat varies.

A client may comprise any computing device, such as a server, mainframe,workstation, personal computer, hand-held computer, laptop telephonydevice, network appliance, an IED, Programmable Logic Controller, PowerMeter, Protective Relay etc. The client may include system memory, whichmay be implemented in volatile and/or non-volatile devices, and one ormore client applications which may execute in the system memory. Suchclient applications may include, for example, FTP client applications.File Transfer Protocol (FTP) is an application for transfer of filesbetween computers attached to Transmission Control Protocol/InternetProtocol (TCP/IP) networks, including the Internet. FTP is a“client/server” application, such that a user runs a program on onecomputer system, the “client”, which communicates with a program runningon another computer system, the “server”. In one embodiment, IED 310includes at least an FTP server.

While FTP file transfer comprises one embodiment for encapsulating filesto improve a data transfer rate from an IED to external clients, thepresent disclosure contemplates the use of other file transferprotocols, such as the Ethernet protocol such as HTTP or TCP/IP forexample. Of course, other Ethernet protocols are contemplated for use bythe present disclosure. For example, for the purpose of security andfirewall access, it may be preferable to utilize HTTP file encapsulationas opposed to sending the data via FTP. In other embodiments, data canbe attached as an email and sent via SMTP, for example.

Although the above described embodiments enable users outside of thenetwork the IED or meter is residing on to access the internal memory orserver of the IED or meter, IT departments commonly block this accessthrough a firewall to avoid access by dangerous threats into corporatenetworks. A firewall is a system designed to prevent unauthorized accessto or from a private network, e.g., an internal network of a building, acorporate network, etc. Firewalls can be implemented in both hardwareand software, or a combination of both. Firewalls are frequently used toprevent unauthorized Internet users from accessing private networksconnected to the Internet, especially intranets. All messages enteringor leaving the intranet pass through the firewall, which examines eachmessage and blocks those that do not meet the specified securitycriteria. A firewall may employ one or more of the following techniquesto control the flow of traffic in and of the network it isprotecting: 1) packet filtering: looks at each packet entering orleaving the network and accepts or rejects it based on user-definedrules; 2) Application gateway: applies security mechanisms to specificapplications, such as FTP and Telnet servers; 3) Circuit-level gateway:applies security mechanisms when a TCP or UDP connection is established,once the connection has been made, packets can flow between the hostswithout further checking; 4) Proxy server: intercepts all messagesentering and leaving the network, effectively hides the true networkaddresses; and 5) Stateful inspection: doesn't examine the contents ofeach packet but instead compares certain key parts of the packet to adatabase of trusted information, if the comparison yields a reasonablematch, the information is allowed through, otherwise it is discarded.Other techniques and to be developed techniques are contemplated to bewithin the scope of the present disclosure.

In one embodiment, the IED or metering device will communicate throughthe firewall using a protocol such as HTTP via a port that is openthrough the firewall. Referring to FIG. 3 ., IEDs or meters 310, 312,314 reside on an internal network 316, e.g., an intranet, privatenetwork, corporate network, etc. The internal network 316 is coupled toan external network 302, e.g., the Internet, via a router 320 or similardevice over any known hardwire or wireless connection 321. A firewall318 is disposed between the internal network 316 and external network302 to prevent unauthorized access from outside the internal network 316to the IEDs or meters 310, 312, 314. Although the firewall 318 is shownbetween the internal network 316 and the router 320 it is to beappreciated that other configurations are possible, for example, thefirewall 318 being disposed between the router 320 and external network302. In other embodiments, the firewall 318 and router 320 may beconfigured as a single device. It is further to be appreciated thatfirewall 318 can be implemented in both hardware and software, or acombination of both.

The communication device or network interface of the meter (as describedabove in relation to FIG. 1 ) may communicate through the firewall 318and read a web site server 324. It is to be appreciated that the one waycommunication from the IED through the firewall may be enabled byvarious techniques, for example, by enabling outbound traffic to the IPaddress or domain name of the server 524 or by using a protocol that hasbeen configured, via the firewall settings, to pass through the firewallsuch as HTTP (Hyper Text Transfer Protocol), IP (Internet Protocol), TCP(Transmission Control Protocol), FTP (File Transfer Protocol), UDP (UserDatagram Protocol), ICMP (Internet Control Message Protocol), SMTP(Simple Mail Transport Protocol), SNMP (Simple Network ManagementProtocol), Telnet, etc. Alternatively, the IED may have exclusive accessto a particular port on the firewall, which is unknown to other users oneither the internal or external network. Other methods or techniques arecontemplated, for example, e-mail, HTTP tunneling, SNTP trap, MSN,messenger, IRQ, Twitter™, Bulletin Board System (BBS), forums, UniversalPlug and Play (UPnP), User Datagram Protocol (UDP) broadcast, UDPunicast, Virtual Private Networks (VPN), etc.

In another embodiment, the IED or metering device will communicatethrough the firewall using a server (not shown) disposed on an internalnetwork protected by a firewall. In this embodiment, the serveraggregates data from the various IEDs 310, 312, 314 coupled to theinternal or private network 316. Since the server and the IEDs 510, 312,314 are all on the same side of the firewall 318, generallycommunications and data transfers among the server and the IEDs 310,312, 314 is unrestricted. The server then communicates or transfers thedata from the IEDs to server 324 on the external network on the otherside of the firewall 318. The communication between server on theinternal network and server 324 may be accomplished by any one of thecommunication means or protocols described in the present disclosure.

In a further embodiment, the server disposed on the internal networkcommunicates or transfers the data from the IEDs to clients 328 on theexternal network on the other side of the firewall 318, without the needto transfer or pass data to a server on the external network.

In another embodiment, each IED 310, 312, 314 may be configured to actas a server to perform the functionality described above obviating theneed for a separate server.

Furthermore, in another embodiment, each IED 310, 312, 314 and eachclient device 328 may be configured as a server to create a peer-to-peernetwork, token ring or a combination of any such topology.

The systems and methods of the present disclosure may utilize one ormore protocols and/or communication techniques including, but notlimited to, e-mail, File Transfer Protocol (FTP), HTTP tunneling, SNTPtrap, MSN, messenger, IRQ, Twitter™, Bulletin Board System (BBS),forums, Universal Plug and Play (UPnP), User Datagram Protocol (UDP)broadcast, UDP unicast, Virtual Private Networks (VPN), etc. Common chatprotocols, such as MSN, AIM, IRQ, IRC, and Skype, may be used to send amessage, containing the meter's data, to a public chat server which maythen route that message to any desired client. A public social serverthat supports a common web interface for posting information, such asTwitter™, Facebook™, BBS's, may be used to post a status, containing themeter's data, to a user on the public social server for that service.This post may then be viewed by the clients to see the meter's data, orread by another server for further parsing and presentation. Hosted dataservices, such as a hosted database, cloud data storage, Drop-Box, orweb service hosting, may be used as an external server to store themeter's data, called Hosting. Each of these Hosts, e.g., server 540, maythen be accessed by the clients to query the Hosted Data. In anotherembodiment, the IEDs can communicate to devices using Generic ObjectOriented Substation Event (GOOSE) messages, as defined by the IEC-61850standard, the content of which are herein incorporated by reference.

Security in meters has been a traditionally overlooked feature in thepower industry. This has been due to a number of factors, including theuse of serial networks, limited connectivity of wider access networks,and a resistance of consumers to upgrade their devices. When security isimplemented in devices, it is often added as an afterthought, usingsimple numeric passwords, and little to no configurability. Worse, evenwhen complex passwords are allowed, users will often use simplepasswords that they repeat for every device on their network, due to thecomplexity of maintaining all those devices.

In a traditional system, each meter would be configured with individualsecurity configurations, where a security configuration is the set ofcredentials that a user requires to gain access to the criticalfunctionality of a meter. For example, in the example shown in FIG. 4 ,the credentials for User A would have to be configured individually inMeter A and in Meter B. For a large number of meters, this configurationmay take hours or days to perform, which would encourage administratorsto use the same password for all meters.

Additionally, after configuration, if User B needs to be removed, theconfiguration process would need to be performed for each device again,removing or disabling User B. Not only is this time consuming, it iserror prone; if the administrator misses one meter, the old credentialscan still be used, possibly allowing compromise.

One solution to individual security configuration in meters is anadministrative security configuration software, e.g., executing on aserver, that maintains the security configuration of all meters on anetwork, as shown in the example of FIG. 5 . Such a securityconfiguration software 509 may allow an administrator 510 to add,remove, or update the security credentials for all meters, e.g., meters502, 504, from a single interface generated by the software and/orserver (e.g., an interface such as, but not limited to, a web page). Thesoftware may then perform the configuration change on the meter for theuser. Such a solution may improve the management and security in metersby centralizing the configuration of security, reducing the possibilityof misconfiguration.

Additionally, this software may perform the action on groups, ranges, orall meters automatically, allowing the administrator to perform a singleaction on all the devices, without risk of misconfiguration. Forexample, if a user needed to be disabled in all the meters, theadministrator may click Disable on the user for all meters, and thesoftware would go to each meter, and disable that user, eliminating thepossibility that the administrator may forget a meter, or disable thewrong user.

Another solution is a system 600, as illustrated in FIG. 6 , whereinmeters 602, 604 on a network use a security server 606 for its securityconfigurations and validations, rather than relying on securityconfigured in each meter individually. Security server 606 providescentralized security to system 600. Users would continue to login asusual through client softwares, however all meter security configurationwould go through the security server 606. In such a system 600, thesecurity server 606 would not need to, though may, know the networkaddress of the meter.

In one implementation of a security server 606, a meter may pull itssecurity configuration from the security server 606 (e.g., periodicallyor on command) to maintain a local security database, as in exampleMeter A 602, where Meter A 602 includes at least the credentials forUser A and User B. The meter would still maintain a local securityconfiguration, which would be used for all user authentication andauthorization checks. The security server 606 may maintain a mapping ofmeters and user credentials, which the meter may then periodically checkthe security server 606 for changes, and if a change was detected, themeter may update its local security configuration. It is to beappreciated that the local security database or configuration may bestored in a memory, such as memory 118 and/or memory 120 as shown in themeter/IED 100 of FIG. 1 .

Security server stored configuration may be improved by allowing thesecurity server 606 to notify the meter that a security configurationhas changed. Once the meter receives this notification, the meter maythen query the security configuration update from the security server606. For example, the security server 606 may send a Modbus command tothe meter, to notify the meter that the Security Configuration of themeter was updated. As another example, the security server 606 may senda HTTP POST command to the meter. As another example, the securityserver 606 may broadcast a UDP to all devices on the network, notifyingthe meters that a Security Configuration update is available. Otherpossible notification protocols are envisioned.

Security server stored configuration may be further improved by storingsecurity configuration parameters other than credentials. For example,an administrator 610 may configure Meter A 602 to only allow 1 loginattempt every 5 seconds by storing that configuration on the securityserver 606, and Meter A 602 would implement this configuration whenMeter A 602 is updated from the security server 606. As another example,the administrator 610 may, through the security server 606, configureMeter B 604 to disable any login attempts from the serial port of theMeter B 604.

Security server stored configuration may be further improved by storingnon-security configuration parameters. For example, the administrator610 may configure the device profile of Meter A 602 by storing thatprofile on the security server 606, along with a command to Meter A 602to use the new profile. Meter A 602 would then install and use thisprofile when updated from the security server 606. As another example,individual device profile settings may be configured on Meter B 604through the Lightweight Directory Access Protocol (LDAP) settingsprofile of the Meter B 604. As LDAP is a tag/value storage system forusers, each setting may be stored as an individual entry. As anillustrative example, the following list of tags and values for anindividual LDAP entry may be used to store and configure the currenttransformer/potential transformer (CT/PT) ratios of a meter, representedin LDAP Data Interchange Format (LDIF):

meterCtPrimary: 400 meterCtSecondary: 5 meterPtPrimary: 1440meterPtSecondary: 120 meterHookup: WYE3It is envisioned that when the meter synchronizes with thisconfiguration from the LDAP server, i.e., security server 606, it maythen update its CT/PT ratios as appropriate. It is to be appreciatedthat security server 606 may be one server or a complex of servers toprovide interdependent features such as LDAP and Active Directory.

In another implementation of a security server 606, when the meter 602,604 receives an authentication or authorization request from a user, themeter 602, 604 may query the user credentials directly from the securityserver 606 for verification (e.g., rather than querying user credentialsagainst a local security database in the meter), as in example Meter B.In such an implementation, the meter 602, 604 would not store the usercredentials locally, but would instead rely on communications with thesecurity server 606. For example, when a user attempts to login to themeter 602, 604, the meter 602, 604 may query the security server 606 forthe user's credentials, then compare them locally. As another example,when a user which has already been authenticated tries to perform asecure action, the meter 602, 604 may query the security server 606 todetermine if the user has the permission to perform that action.

Such querying of the security server 606 may be improved by caching theuser's credentials locally, and only requerying the security server 606when those credentials have expired. For example, when the meter 602,604 queries a user's credentials from the security server 606, thecredentials may include an expiration date of one hour. All loginattempts by the user during that hour would be compared against thelocal credentials; after the expiration however, a new credentials wouldbe queried from the security server 606 for validation. It is alsoenvisioned that other methods of configuring the local cache credentialexpiration may be used, such as a hard coded or configurable setting inthe meter 602, 604 itself.

Such caching of credentials may be improved by only storing a limitednumber of credentials in the cache. If credentials were added to thecache, and the number of credentials stored in the cache exceeded thelimit, the oldest credentials would be discarded. It is envisioned thatthis limit may be hardcoded, or configurable through either the meter602, 604 itself, or though the security server 606.

Such querying of the security server 606 may be improved in another way,for example, by never transferring the user credentials from thesecurity server 606 to the meter 602, 604. Instead, the meter 602, 604would send the User Credentials to test to the security server 606, andthe security server 606 would respond with their validity. In such asystem, the user credentials would never be transferred out of thesecurity server 606, reducing the possibility of an unintendedinformation leak. Additionally, an arbitrary number of users may begiven access to the meter 602, 604, since the security configurationwould not be limited by the storage capabilities of the meter 602, 604itself. For example, when a user attempts to login to the meter 602,604, the meter 602, 604 may send the user credentials to the securityserver 606, and the security server 606 may respond with the validity ofthose credentials.

Such querying of the security server 606 may be improved by combiningthe local cache with validate only queries. In such an implementation,the security server 606 would never transfer valid user credentials tothe meter 602, 604, but instead the meter 602, 604 caches thecredentials provided by the user when the meter 602, 604 receives avalidity response from the security server 606. For example, if a user'scredentials were correct when validated against the security server 606,the meter 602, 604 may cache those credentials such that the next timethe user sends those credentials, the credentials are validated againstthe local cache, rather then sending another validation request to thesecurity server 606. As another example, if a user's credentials wereincorrect when validated against the security server 606, the meter 602,604 may cache those invalid credentials, and reject later attempts withthose credentials without sending another validation request. As anotherexample, if valid credentials are cached, and invalid credentials aresupplied, the credentials may be rejected without sending anothervalidation request.

Such querying of the security server 606 may also be improved bylimiting the number of requests that can be made against the securityserver 606. For example, a meter 602, 604 may only allow sending onecredential verification per second. As another example, a meter 602, 604may limit credential verifications per user to one a second.

In another implementation of a security server 606, instead ofconfiguring individual lists of user credentials for each meter 602,604, a single list of user credentials may be created, and all meters602, 604 may use that list for validation. In such a system, a user maythen apply the same credentials to every meter, thus simplifying thelogin process. It is envisioned that such a system, security may beimproved by not forcing users to store many different credentials, whileat the same time allowing more complex security configurations. Forexample, the administrator 610 may configure User A 612 in the securityserver 606, and User A 612 may then login to Meter A 602 and Meter B 604with the same credentials, without the administrator 610 having toconfigure User A 612 for each meter 602, 604. As another example, User B614 may have their password changed by the administrator 610, and MeterA 602 and B 604 would both see the change without explicitconfiguration.

Such common user credentials may be improved by listing what meters 602,604 each user has access to, as part of their configuration in thesecurity server 606. For example, User A 612 may be configured to haveaccess to Meter A 602, but not Meter B 604. When User A 612 attempts tologin to Meter B 604, even if the credentials are valid for User A 612,they will be rejected as if they were invalid. Alternatively, they maybe rejected with an invalid permission message.

Centralized Security may be improved by controlling User AccessPermissions through Groups, such that each User would be a member of oneor more Groups, and Access Permissions would be configured on thoseGroups. In this way, permissions are centralized and configured throughshared groups. It is envisioned that such a system would simplifyadministration by allowing an administrator to configure AccessPermissions for multiple Users simultaneously, by editing a singleGroup. For example, all Users which perform the initial wiring hookup ofthe meter 602, 604 may be assigned to a Group “technicians”, whichallows access to readings, but not firmware updates. As another example,all Users at Facility A may be assigned to a Group “facility_a”, whichallow access to meters at Facility A, but not meters at Facility B. Asanother example, technicians at Facility A may be assigned to bothGroups “technicians” and “facility_a”, providing both sets of AccessPermissions.

It is appreciated that Group Access Permissions may be implemented inmultiple fashions, depending on how Access Permissions are checked withthe security server 606. For example, the meter may store a list ofPermissions for each User, that is just the logical OR of all configuredGroups. As another example, the meter may store a list of all Groups andtheir Access Permissions, and the Group membership of each User. Then itmay iteratively check each member Group for the appropriate AccessPermission when authorizing a User. As another example, when the meter602, 604 requests authorization for a User with the security server 606,the security server 606 may check the aggregate of member Group AccessPermissions for the specified User.

Group Access Permissions may be improved by allowing additional AccessPermissions to be added or removed from a specific User, above andbeyond the Access Permissions provided by their Group Memberships. Forexample, User B which is a member of the “technicians” group may begiven the special added Access Permission to reset energy. Thispermission would only be accessible to User B, and not User A, which isalso a member of Group “technicians”. As another example, User C whichis a member of “facility_a” group may have access to Meter D, which is ameter that is at Facility A. Other members of “facility_a” would stillhave access to Meter D.

Another implementation of Group Access Permissions may be to use theexisting Group Access Permission methodologies of Common Protocols andSecurity Servers. For example, Windows Active Directories organize usersunder Group Membership, and Groups have a set of common permissions,such as Read, Write, Special, and Full Control, on objects managed byActive Directory. In such a system, meters 602, 604 may be designated asnodes in the Active Directory, and features of the meter, such asUpdating Firmware, Reading Logs, and Updating Device Profiles, may bedesignated as Active Directory objects to be managed.

Centralized Security may be improved by providing an audit of thecurrent security configuration of all the meters. For example, a reportthat lists the users that are permitted to login to each meter 602, 604may be created by security server 606. As another example, a report thatlists all meters 602, 604 a user can access may be created by securityserver 606. As another example, a report that lists all configuredpermissions across all meters 602, 604 may be created by security server606. As another example, a report that lists all users which belong toan access permission group may be created by security server 606. Asanother example, the current non-credential security profiles, such aslogin time outs, may be listed for each meter 602, 604 when securityserver 606 creates the report.

Security Audits may be improved by storing a Security Log on thesecurity server 606, that may track all Security Actions performedagainst the security server 606. It is envisioned that such a SecurityLog may be handled by a custom engine, or a common tool such as syslogd.For example, the security server 606 may log each authorization requestby a meter 602, 604 for a User's Credentials. As another example, thesecurity server 606 may log each permission check performed by a meter602, 604. As another example, the security server 606 may log eachsecurity configuration request made by a meter 602, 606. As anotherexample, the security server 606 may log a meter's access validationresults.

Such Security Logs may be improved by providing commands between themeter 602, 604 and security server 606, such that the meter 602, 604 mayreport security events in the meter 602, 604 itself to the securityserver 606, which in turn would add the event to its log. Such a commandmay be performed using a custom protocol, or a common protocol, such assyslog or LDAP. For example, the meter 602, 604 may log each time a Userreset energy in the meter 602, 604. As another example, the meter 602,604 may log each time the firmware was updated. As another example, themeter 602, 604 may log each time the meter 602, 604 is powered up, andthe possible reason it shut off. As another example, the meter 602, 604may log performance changes, such as running slower than expected, asthis may indicate an attack. It is envisioned that such performancechanges may include, but not be limited to, a drop in CPU cycles, a realtime task falling behind expected time slots, timed events taking longerthan a threshold, or events per second exceeding a threshold. Suchevents may include, but is not limited to, TCP Packets arriving, ICMPpackets, Modbus queries, Web Server queries, Web Service queries, Loginattempts, PQ Log events, or System Event Log events.

Such Security Logs may be improved by providing reports (e.g., generatedby security server 606) on the events logged. For example, a report ofall events which occurred on Meter A 602, between 2019 Jan. 1 and 2019Feb. 1 may be generated by security server 606. As another example, areport of all events which occurred for all meters 602, 604 between 2019Feb. 1 and 2019 Feb. 2 may be generated by security server 606. Asanother example, a report of all failed logins on all meters 602, 604 atFacility A between 2019 Feb. 3 11:00 and 2019 Feb. 3 12:00 may begenerated by security server 606.

Such Security Logs may be further improved by providing the ability tosend security events to an external server for logging. Such an externalserver may then be used as backup, log comparison and verification,analysis, and reporting. For example, the security server 606 mayautomatically send a batch file of events to an external server 607, asshown in FIG. 6 , which may then import those events. As anotherexample, the administrator 610 may manually export a selected range ofevents, and manually import them to an external server 607. As anotherexample, the security server 606 may automatically route the events tothe external server 607 in syslog format, as each event comes into thesecurity server 606.

Such Security Logs may be further improved by feeding the logs into aSIEM, or Security Information and Event Management system, thus enablesSIEM analysis. For example, such a system may be used to aggregatesecurity events between Meter events, and other systems, such as Windowsand Linux Host events. As another example, the SIEM may be used to alertthe administrator 610 when specified events are detected, a threshold ofevent occurrences is detected, or a combination of events occurs, suchas more than 100 logins across all meters 602, 604 in a single second.As another example, the SIEM may be used to display log events in adashboard format, for easy visualization, such as graphing the number oflogins every minute over a day. As another example, the SIEM may be usedfor cybersecurity forensics analysis, by allowing an analyst to searchand filter for specific aggregates of events, such as finding all loginswhich come from a specific IP address. It is envisioned that such SIEMintegration may be performed by the security server 606 as describedhere, or by the meter itself, e.g., meter 602, 604.

Such integration with a SIEM may be improved by using a common SecurityLog format, such as the syslog format, and include parseable tags in themessage field. For example, User login attempts may be represented as,but would not be limited to, the following:

Apr. 17, 2019 11:33:28 E159-0123456789 EIG:0|EIG|E159_Run|v4.3|101|msg=User user1@test.com login|1|eig-loc=Login_Success eig-user=user1@test.com eig- raddr=10.153.10.82:54312eig-session=78338A13-F98C-4EF8-A829-0260AF25DCDEApr. 17, 2019 11:33:29 E159-0123456789 EIG:0|EIG|E159Run|v4.3|102|msg=User user2@test.com login|5|eig-loc=Login_Failed eig-user=user2@test.com eig- raddr=10.153.10.85:11112 eig-reason=InvalidPassword

Such Security Logs may be further improved by feeding the logs into anIDS, or Intrusion Detection System, thus enabling IDS analysis. An IDSis a system which aggregates Network based events and Host based events,attempts to analyze them, and flag events which might be caused by anintrusion by an attacker. Such an IDS may then monitor events whichoccur on meters 602, 604, and alert administrators to possible intrusionattempts on those meters 602, 604. It is envisioned that the SecurityLog may be expanded to include Host information, such as firmware andfile versions and signatures, to support better analysis by an IDS.

In another implementation of a security server 606, the protocol usedbetween the meter, e.g., meters 602, 604, and security server 606 mayinclude LDAP, RADIUS, Diameter, Kerberos, etc, to configure and verifyusers. For example, LDAP may be used to pull the user's securityconfiguration from the security server 606. As another example, RADIUSor Diameter may be used for user credentials validation requests. Asanother example, Kerberos may be used for both configuration requests,and credentials validation requests.

In another implementation of a security server system, the meter 602,604 may integrate with a customer's preexisting security server, such asa RADIUS Server, a Windows Active Directory Server, or a general LDAPServer. In such an arrangement, the meter 602, 604 would be configuredto communicate and authenticate with the preexisting security server bythe administrator. Additionally, the meter 602, 604 would use thesecurity server's common protocol, such as RADIUS or LDAP, forcommunications with the security server.

Using a preexisting security server may be improved by using amanagement software 720 that is aware of the communications settings forall the meters, such that the management software 720 is able toautomatically configure the meters with the security server'sconfiguration, as shown in FIG. 7 . For example, if the managementsoftware 720 knows about Meter A 702 and Meter B 704, i.e., themanagement software 720 has or has access to the information on how tocommunicate and configure each meter, the admin 710 may use themanagement software 720 to configure Meter A 702 and Meter B 704 withthe security server's parameters, e.g., an IP address, VPN credentials,login credentials, security certificates, etc. Meter A 702 and Meter B704 would then use those security server parameters to connect to thesecurity server 706 for their security configuration. It is to beappreciated that the management software 720 may automatically updateeach meter in the fleet, reducing configuration error. It is alsoenvisioned that the security server 706 may be the management software720.

While it is important for users to be properly authenticated andauthorized by the meters, the meters themselves need to be verified whenconnecting to the security server 606, 706, i.e., meter-server security.Without this, an attacker may interact with the security server 506,606, 706 directly without restriction.

Additionally, if authentication information between the meter andsecurity server is sent in the clear, even if the login process with themeter itself were protected from eavesdropping, an attacker may stilllisten to the authentication commands sent between the meter andsecurity server.

One solution to authenticating the meter with the security server may beto include credentials with the security server configuration written tothe meter. In one implementation of such meter credentials, ausername/password pair may be used to authenticate the meter to thesecurity server. For example, a username and password may be created foreach meter, which would then be used by the meter when contacting thesecurity server to authenticate the meter, before performing any othersecurity actions. As another example, a single username and password maybe created for each meter. As another example, the usernames andpasswords of regular users may be used.

Another implementation of meter credentials may be to provide the meterwith a client certificate, which the security server would verify toauthenticate the meter. For example, referring to FIG. 8A, securityserver 806 may generate a certificate for each meter 802, which may thenbe written as part of the security server configuration to the meter.The meter 802 may then provide that certificate to the security server806 for authentication, before performing any other security services.As another example, meter's may all be configured with a singlecertificate generated by the security server 806.

Meter certificates may be improved by generating the certificate as partof a handshake procedure between the security server 806 and the meter802. This would allow the meter 802 to establish the private key of thecertificate and provide the public key to the security server 806,without a middleman holding the certificate, which may allow thecertificate to be stolen. For example, referring to FIG. 8B, in step850, the security server 806 generates a certificate 801 for meter 802and transmits the certificate 801 to meter 802. When the meter 802initially authenticates with the security server 806, the meter 802 maygenerate a second certificate 803 based on the security server'scertificate 801, in step 852. The second certificate 802 would establishprivate keys 805 unique to the meter 802, in step 854, and the meter 802would exchange the public information, e.g., a public key 807, back tothe security server 806, in step 856. It is envisioned that otherauthentication methods, such as a static certificate, orusername/password pairs, may be used for the initial handshakeauthentication.

Meter certificates may be improved by using the meter's clientcertificate 803 to sign the actual messages going to the security server806. Such signing would allow the security server 806 to authenticatethat each message sent by the meter is actually from the meter. Forexample, when the meter generates a message to send to the securityserver 806, the meter 802 may compute the hash of the message, generatea signature of the combination of the message and hash using thecertificate's private key, and send the combined message and signatureto the security server 806, in step 858. The security server 806 wouldthen verify both the signature and hash to authenticate the message camefrom a valid meter, in step 860. For example, if either the message orhash has been changed, the signature generated at the server 806 forverification will not match the signature generated at the meter 802.Such validation may be done with the public keys in either a singleshared certificate arrangement, or unique meter generated certificatearrangement.

Meter certificates may be further improved by requiring the securityserver 806 to provide a certificate to the meter 802 when the meter 802connects. As without it, an attacker may imitate the security server806, and trick the meter 802 into connecting. Emulating the securityserver 806 may allow the attacker to authenticate invalid usercredentials, or even collect valid user credentials. One implementationof this may be to configure the meter with the public keys of thesecurity server's certificate. Another implementation may be to use acertificate chain, and sign the security server's certificate with aCertificate Authority trusted by the meter.

Another solution to authenticating the meter with the security server,may be to use a Secure Connection between the meter and the securityserver, e.g., an encrypted tunnel such as an SSL tunnel between themeter and security server. It is envisioned that such a SecureConnection would mitigate eavesdropping by an attacker, would mitigatean attacker sending faked commands and queries, and would limit anattacker's ability to run a fake security server.

One implementation of a Secure Connection may be to use SSL/TLS betweenthe meter, e.g., meters 602, 604, 702, 704, 802, and security server,e.g., server 606, 706, 806. For example, when the meter initiates aconnection to the security server, the meter may start with a TLShandshake, and only continue with the actual commands and queries to thesecurity server once the Secure Connection Tunnel has been established.It is envisioned that once the Secure Connection Tunnel has beenestablished, the normal protocol between the meter and security serverwould be used.

SSL/TLS Secure Connections may be improved by requiring that thesecurity server provide a valid certificate during the SSL/TLS handshaketo the meter. For example, if the security server 806 does not provide acertificate which the meter 802 recognizes as valid, the meter 802 mayassume the security server 806 is invalid or being impersonated, andreject the connection. Otherwise, the meter 802 would assume thesecurity server 806 is valid, and continue.

SSL/TLS Secure Connections may be improved by requiring that the meter802 provide a valid certificate during the SSL/TLS handshake to thesecurity server 806. For example, if the meter does not provide acertificate which the security server recognizes as valid, the securityserver may assume the meter is invalid or being impersonated, and rejectthe connection. Otherwise, the security server would assume the meter isvalid, and continue.

Another implementation of the Secure Connection may be to use IPSEC(Internet Protocol Security) between the meter and security server. Forexample, when the meter initiates a connection to the security server,the meter may use IPSEC to authenticate the meter to the securityserver, and vice versa.

IPSEC Secure Connections may be further improved by using the encryptedprotocols of the IPSEC suite. For example, ESP, also known asEncapsulating Security Payload, may be used to provide encryption of thetunnel. It is acknowledged that ESP also provides authentication of theconnection, and thus would also fulfill the role of AuthenticatedHeaders.

Another implementation of the Secure Connection may be to use a VPN, orVirtual Private Network, Tunnel along the path between the meter and thesecurity server. For example, the meter may establish a VPN tunnel to ahardware VPN appliance, which provides a bridge to the private networkthe security server is on. Security queries and commands would then besent over the VPN Tunnel as normal. As another example, the meter mayestablish a VPN tunnel directly to the security server. It isappreciated that while non-encrypted and non-authenticated VPN tunnelsare possible, encrypted and authenticated VPN tunnels are preferred.

It is to be appreciated that other centralized security configurationsare contemplated to be within the scope of the present disclosure suchas, but not limited to, Federated Identity, i.e., sharing login servicesacross multiple applications, Single Sign On, Delegated Authority, i.e.using shared security tokens so nodes such as an application or themeter do not need access to the user's credentials, OAuth, Shibboleth,Kerberos Tokens, Multifactor authentication (MFA), i.e., using MFA inaddition to user credentials to authenticate a user, etc.

While passwords are one of the most common and entrenched forms ofcredentials, in general memorized secrets, which includes passwords,pins, and other such sequences that a user must remember to prove whothey are, passwords are vulnerable to compromise. The primary problemwith such memorized secrets is that, due to the fact that they must beremembered by the user, they are often simple or repetitive, which makesguessing by hackers easier. Complexity rules often make the problemworse, as it only encourages users to choose easy to remember repetitivepatterns.

One solution to the simplicity problem is to use authenticationcredentials other than memorized secrets. Credentials only need besomething that proves that the user is who they claim that they are, thesecret that only they possess.

One possible implementation of alternate forms of credentials may be akey which only the user may possess, stored on the user's computer, andtransferred to the server/meter as proof of identity. It is to beappreciated that in one embodiment, the meter may act as the server, andthe user's device (e.g., personal computer (PC), phone, mobile device,etc.) is the client, e.g., client 328. In other embodiments, asdescribed above, the alternate forms of credentials may also apply tosecurity between the meter 100/310/312/314/502/504/602/604/702/704/802(i.e., as a client) and the security server (e.g. server 606, 706, 806).All verification of the credentials may be done by the meter or byanother security server (with the meter as a middleman), as has beenpreviously described.

While such a key may be similar to a password, without the need formemorization, length and complexity may be much greater; as well asallowing automated generating and distribution. For example, a hiddenfile on the user's computer may contain a secret key, such as“iD23oi(*&3243987dfs”, shared between the server (or meter) and clientsimilar to a password. As another example, because the key would notneed to be memorized by a user, the key may be thousands of characterslong. As another example, the key may be binary rather than text, as itwould not need to be typed in by a user.

Such a stored credential may be improved by allowing it to be a securitycertificate, where instead of sharing the certificate, only theauthority chain of the certificate would need to be shared. For example,the server may be configured with the public keys of a root certificate,and each user's certificate created from that root certificate. Eachcertificate would then be distributed to the users, to be later usedwhen logging in to the server and/or meter.

Such credentials stored on a user's computer, e.g., client 328, sufferfrom the risk of compromise, either if the computer is left unattended,or hacked. One possible solution to stored credentials is to encrypt thestored credentials. Access to such an encrypted storage would stillrequire entry of credentials; however, as such an encrypted storagewould be local only, the risk of compromise of the credentials foraccess to the encrypted storage would be less than a public facingserver. As such, it may be a memorized secret; though it is envisionedthat any other alternative credentials may be used as well. For example,when the user needs to provide credentials to a server or meter, insteadof entering the credentials to the server/meter, the user would providethe credentials to the encrypted storage on the user's local device,e.g., client 328, from which the client device would extract thecredentials to the server/meter.

Such an encrypted storage may be improved by storing multiplecredentials for multiple services, such as a keyring or passwordmanager. For example, the user's credentials to server/meter A, B, and Cmay all be stored in the encrypted storage on the user's device, e.g.,client 328, and the appropriate credentials extracted based on someidentifying feature of the server/meter, such as a unique id or tag.

Such an encrypted storage may be improved by allowing the clientsoftware access to interface with the encrypted storage. In thisembodiment, the user would enter the credentials to the encryptedstorage into the client software. The client software would then requestthe server/meter credentials from the encrypted storage using the user'sentered credentials; then those extracted server credentials would besent to the server/meter for authentication.

Another possible solution to stored compromise/credentials is to storethe credentials on an external device. Such a physical external devicemay be carried around by the user, with the added benefit of allowingthe stored credentials to be used on multiple client devices. Forexample, a file system on a USB stick, hard drive, DVD, or other mobilestorage media, may contain the credentials file. As another example, adedicated USB device may give out the stored credentials using a USBcommand. As another example, such a physical device may also contain anencrypted storage as described earlier. In this embodiment, the externaldevice may be coupled to the user's client device, where the clientdevice may extract the credentials and forward the credentials to theserver/meter.

Such a solution may be improved by requiring physical input on thedevice storing the credentials, and only allow access to the storedcredentials when that input enables it. For example, the device may havea button that must be pressed within 30 second of credential request, orphysically held down, for the credential storage to be accessible. Asanother example, the device may have a pin entry pad, and only unlock ifthe correct pin is entered.

Another solution to stored compromise is for the credentials to bedynamically generated, in such a way that both the credential storageand the server/meter agree on what the dynamic credentials should be,without transmitting that secret beforehand. In one embodiment, a seedtoken may be transmitted from the server/meter on request, then used bythe client to generate a new dynamic password when combined with thestatic previously shared credentials. For example, when the client,e.g., client 328, requests to login, the server/meter, e.g., meter100/310/312/314/502/504/602/604/702/704/802, sends an out of bandmessage to the client with a dynamic token. The client then has 30seconds to combine the token with the pre-shared credentials and sendback a dynamically generated key to the server/meter. The server/meterthen authenticates both the pre-shared credentials, and the dynamic keyincluded. As another example, in such a system, the dynamic token may beused as a key in encrypting the pre-shared credentials.

Another possible implementation of dynamic credentials may be one basedon a common frame of reference that doesn't need to be transmittedbetween client and server/meter, such as time of day. For example, thetime may be used as a token, adjusted or rounded to account for timebetween computation on the client and verification on the server/meter.As another example, the time may be used as the seed in generating thetoken. As another example, a common protocol such as TOTP, Time-basedOne-time Password, may be used to generate a one-time credential. Inaddition to using such tokens as credentials with the server/meter, thetokens may also be used as seed tokens to be combined with thepre-shared credentials, as described earlier.

Another implementation of alternative credentials may be out of bandinformation which can only be received by the user. In particular, thishelps mitigate the problem of stored credentials on the client, andinstead relies on the security of the transmission media to communicatethe out of band information. For example, an email may be sent to thatuser, containing a token, which may then be supplied to the server/meteras proof of identity. As another example, an SMS text message may besent. As another example, a UDP or TCP message on a shared port may besent to the client; perhaps as a message to the client directly, or as amessage to a secondary application, from which the token is copied. Asanother example, the token may be displayed on the screen of theserver/meter in the location of the physical server/meter, which maythen be entered by the user, thus proving that the user is in thelocation of the server/meter. As another example, a camera of a phone orother mobile device may be used to read the information from the displayof the server/meter, either using Optical Character Recognition (OCR),or another image based data transfer method, such as QR Code. As anotherexample, speakers on the server/meter may emit a tone, and a microphoneof the phone of the user may receive and use the pitch, or the sequenceof tones, as a token to send to the server/meter.

Another implementation of alternative credentials may be biometriccredentials. In such a system, either the whole biometric data, or adigital signature generated from such data, may be used as credentials.For example, the fingerprints of the user may be registered with theserver/meter and used as credentials. As another example, the iris ofthe user may be used. As another example, the voice pattern of the usermay be used. As another example, facial recognition of the user's facemay be used.

Such voice biometrics may be improved by requiring that the user read aspecific dynamic token, and both the voice pattern, and the speech totext analysis, may be used for verification. For example, the user maybe asked to read “the dog”, and both their voice pattern would beanalyzed, and the words “the dog” detected. It is envisioned that insuch a system, repeated attempts with different words may be allowed toaid recognition.

Another implementation of alternative credentials may be humanauthentication by an already authenticated user. For example, after UserA logs into the system/meter (e.g., meter100/310/312/314/502/504/602/604/702/704/802), User B attempts to log into the system/meter. User B then calls User A (or contacts User A byother means such as a SMS text message), and requests to beauthenticated. User A verifies the identity of User B, and signals thesystem/meter to allow User B access, perhaps but not limited to, bysending a secure command to the system/meter (e.g., meter100/310/312/314/502/504/602/604/702/704/802) from User A's device, e.g.,client device 328. As another example, when User B calls User A, User Agets a token from the system/meter, which they supply to User B asdynamic credentials to log in to the system/meter.

Human authentication may be extended by using it for authorization aswell. For example, after User B has already been authenticated and UserB wishes to perform a secure action, such as updating firmware, User Bmay notify User A, such as by a phone call or application message. UserA would then authorize User B to perform that secure action, e.g., bysending a secure message to the server/meter. It is envisioned that suchauthorization would be temporary in nature, either for the length ofUser B's login session, or for a configured time period, but this is notrequired.

No matter how strong a credential is, it can always be compromised:Devices can be stolen, faces can be faked, messages can be intercepted,passwords can be guessed. One solution is to require multiplecredentials to authenticate a user's identity, also known asmulti-factor authentication (MFA). Each additional credential requiredlowers the risk of any one credential being compromised; only when allcredentials are compromised is the user compromised.

In one embodiment, multiple credentials may be to require multiplememorized secrets. For example, the user may be required to enter to theserver/meter a password, and the answer to a personalized question. Asanother example, the user may be required to enter two passwords, or onepassword and a pin. It is envisioned that any number of credentials maybe required, based on the requirements of the system including theserver, meter and/or client.

In another embodiment, multiple credentials may be to require two ormore of any type of alternate credential. For example, the user may berequired to enter a password, and supply a biometric id such as afingerprint scan. As another example, the user may be required to entera password to the server/meter, and the client software may send astored credential, either stored on the computer being used, or adedicated physical device, where the server/meter may validate thestored credential.

Such embodiments of multiple credentials may be improved by requiringcredentials of differing classifications. Since a password and a pin areboth memorized secrets, both can be guessed or leaked. Since storedcredentials exist on a device, requiring multiple stored credentials canbe compromised if those devices are stolen. By requiring the user toprovide credentials of differing types, such as a password and a storedcredential, the compromise of any one type of credential does notexplicitly compromise the others. For example, passwords and storedcredentials would be of differing types, but stored and dynamiccredentials, if they come from the same device, would not.

In another embodiment of using multiple credentials, a subset ofcredentials may be required after the initial identity has beenauthenticated. This may improve user experience and ease adoption byminimizing repetitive entry of credentials. For example, a password andstored credentials may be required on initial login, but only storedcredentials when accessing a feature, such as configuring meterprofiles, that requires confirmation of identity. As another example, apassword and face recognition may be required on initial login, but onlyface recognition when accessing such a feature.

Such an implementation of multiple credentials may be extended byallowing different users or roles to require differing types ofcredentials. For example, low security roles and users may require onlya password to login, but high security roles and users may require apassword, stored credential, and dynamic credential. As another example,the requirement of dynamic credentials may be added to users as physicaldevices were rolled out by IT to users.

Such an implementation of multiple credentials may be further extendedby allowing differing features to require differing credentials. Forexample, login may require only a password, but updating settings, evenif the user has already been configured with the permission to updatesettings, may require a dynamic credential. As another example, updateof settings may require an additional password, different from thepassword used by the user during login.

Such an implementation of multiple credentials may be further extendedby allowing users to select different types of credentials from eachother. For example, User A may select to use a password and storedcredential, and User B may use biometrics and dynamic credentials. It isenvisioned that such a system may improve security for forcing anyhacker to guess which type of credential is used, in addition todetermining the credentials themselves.

Such an implementation of multiple credentials may be improved by usingcommon multi-factor authentication protocols and solutions. Such commonprotocols and solutions may include, but are not limited to, GoogleAuthenticator, Authy, Duo, OKTA, RSA SecurelD, LastPass, AuthO, YubiKey.

FIG. 9 is a block diagram illustrating physical components of acomputing device 902, for example a client computing device (such asclient 328), a server (such as security server 606/706/806), or anyother computing device, with which examples of the present disclosuremay be practiced. In a basic configuration, the computing device 902 mayinclude at least one processing unit 904 and a system memory 906.Depending on the configuration and type of computing device, the systemmemory 906 may comprise, but is not limited to, volatile storage (e.g.,random access memory), non-volatile storage (e.g., read-only memory),flash memory, or any combination of such memories. The system memory 906may include an operating system 907 and one or more program modules 908suitable for running software programs/modules 920 such as 10 manager924, other utility 926 and application 928. As examples, system memory906 may store instructions for execution. Other examples of systemmemory 906 may store data associated with applications. The operatingsystem 907, for example, may be suitable for controlling the operationof the computing device 902. Furthermore, examples of the presentdisclosure may be practiced in conjunction with a graphics library,other operating systems, or any other application program and is notlimited to any particular application or system. This basicconfiguration is illustrated in FIG. 9 by those components within adashed line 922. The computing device 902 may have additional featuresor functionality. For example, the computing device 902 may also includeadditional data storage devices (removable and/or non-removable) suchas, for example, magnetic disks, optical disks, or tape. Such additionalstorage is illustrated in FIG. 9 by a removable storage device 909 and anon-removable storage device 910.

As stated above, a number of program modules and data files may bestored in the system memory 906. While executing on the processing unit904, program modules 908 (e.g., Input/Output (I/O) manager 924, otherutility 926 and application 928) may perform processes including, butnot limited to, one or more of the stages of the operations describedthroughout this disclosure. For example, one such application 928 mayimplement the administrative security configuration software 509 shownand described in relation to FIG. 5 . In another example, one suchapplication 928 may implement the security management software 720 shownand described in relation to FIG. 7 . Other program modules that may beused in accordance with examples of the present disclosure may includeelectronic mail and contacts applications, word processing applications,spreadsheet applications, database applications, slide presentationapplications, drawing or computer-aided application programs, photoediting applications, authoring applications, etc. It is to beappreciated that several modules or applications 928 may be executesimultaneously or near simultaneously and may share data. For example,an application 928 such as a Security Information and Event Management(SIEM) application may receive data from a logging application and usesuch data to perform an analysis as described above. As another example,an application 928 such as an Intrusion Detection System (IDS)application may receive data from another application, such as a loggingapplication, the security management software 720, etc., and use suchdata to perform an analysis as described above.

Furthermore, examples of the present disclosure may be practiced in anelectrical circuit comprising discrete electronic elements, packaged orintegrated electronic chips containing logic gates, a circuit utilizinga microprocessor, or on a single chip containing electronic elements ormicroprocessors. For example, examples of the present disclosure may bepracticed via a system-on-a-chip (SOC) where each or many of thecomponents illustrated in FIG. 9 may be integrated onto a singleintegrated circuit. Such an SOC device may include one or moreprocessing units, graphics units, communications units, systemvirtualization units and various application functionality all of whichare integrated (or “burned”) onto the chip substrate as a singleintegrated circuit. When operating via an SOC, the functionalitydescribed herein may be operated via application-specific logicintegrated with other components of the computing device 1302 on thesingle integrated circuit (chip). Examples of the present disclosure mayalso be practiced using other technologies capable of performing logicaloperations such as, for example, AND, OR, and NOT, including but notlimited to mechanical, optical, fluidic, and quantum technologies. Inaddition, examples of the present disclosure may be practiced within ageneral purpose computer or in any other circuits or systems.

The computing device 902 may also have one or more input device(s) 912such as a keyboard, a mouse, a pen, a sound input device, a device forvoice input/recognition, a touch input device, etc. The output device(s)914 such as a display, speakers, a printer, etc. may also be included.The aforementioned devices are examples and others may be used. Thecomputing device 904 may include one or more communication connections916 allowing communications with other computing devices 918 (e.g.,external servers 607) and/or meters/IEDs 919 (e.g., IEDs100/310/312/314/502/504/602/604/702/704/802). Examples of suitablecommunication connections 1316 include, but are not limited to, anetwork interface card; RF transmitter, receiver, and/or transceivercircuitry; universal serial bus (USB), parallel, and/or serial ports.

The term computer readable media as used herein may include computerstorage media. Computer storage media may include volatile andnonvolatile, removable and non-removable media implemented in any methodor technology for storage of information, such as computer readableinstructions, data structures, or program modules. The system memory906, the removable storage device 909, and the non-removable storagedevice 910 are all computer storage media examples (i.e., memorystorage.) Computer storage media may include RAM, ROM, electricallyerasable read-only memory (EEPROM), flash memory or other memorytechnology, CD-ROM, digital versatile disks (DVD) or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, or any other article of manufacturewhich can be used to store information and which can be accessed by thecomputing device 902. Any such computer storage media may be part of thecomputing device 902. Computer storage media does not include a carrierwave or other propagated or modulated data signal.

Communication media may be embodied by computer readable instructions,data structures, program modules, or other data in a modulated datasignal, such as a carrier wave or other transport mechanism, andincludes any information delivery media. The term “modulated datasignal” may describe a signal that has one or more characteristics setor changed in such a manner as to encode information in the signal. Byway of example, and not limitation, communication media may includewired media such as a wired network or direct-wired connection, andwireless media such as acoustic, radio frequency (RF), infrared, andother wireless media.

It is to be appreciated that the various features shown and describedare interchangeable, that is a feature shown in one embodiment may beincorporated into another embodiment. It is further to be appreciatedthat the methods, functions, algorithms, etc. described above may beimplemented by any single device and/or combinations of devices forminga system, including but not limited to meters, IEDs, servers, storagedevices, processors, memories, FPGAs, DSPs, etc.

While non-limiting embodiments are disclosed herein, many variations arepossible which remain within the concept and scope of the presentdisclosure. Such variations would become clear to one of ordinary skillin the art after inspection of the specification, drawings and claimsherein. The present disclosure therefore is not to be restricted exceptwithin the spirit and scope of the appended claims.

Furthermore, although the foregoing text sets forth a detaileddescription of numerous embodiments, it should be understood that thelegal scope of the present disclosure is defined by the words of theclaims set forth at the end of this patent. The detailed description isto be construed as exemplary only and does not describe every possibleembodiment, as describing every possible embodiment would beimpractical, if not impossible. One may implement numerous alternateembodiments, using either current technology or technology developedafter the filing date of this patent, which would still fall within thescope of the claims.

It should also be understood that, unless a term is expressly defined inthis patent using the sentence “As used herein, the term ‘______’ ishereby defined to mean . . . ” or a similar sentence, there is no intentto limit the meaning of that term, either expressly or by implication,beyond its plain or ordinary meaning, and such term should not beinterpreted to be limited in scope based on any statement made in anysection of this patent (other than the language of the claims). To theextent that any term recited in the claims at the end of this patent isreferred to in this patent in a manner consistent with a single meaning,that is done for sake of clarity only so as to not confuse the reader,and it is not intended that such claim term be limited, by implicationor otherwise, to that single meaning. Finally, unless a claim element isdefined by reciting the word “means” and a function without the recitalof any structure, it is not intended that the scope of any claim elementbe interpreted based on the application of 35 U.S.C. § 112, sixthparagraph.

What is claimed is:
 1. A system comprising: a network for couplingdevices and enabling the transmission of data between the devices; atleast one security server coupled to the network including a firstmemory, the first memory configured to store security configurations fora plurality of meters; and the plurality of meters, each meter of theplurality of meters including: a communication device for coupling themeter to the network and receiving the security configuration for themeter, and a second memory for storing the security configuration in alocal database, wherein the security server sends a notification to eachmeter when a security configuration has changes and the meter pulls thechanged security configuration after receiving the notification, thenotification being sent via at least one of a Modbus command and/or aHTTP POST command.
 2. The system of claim 1, wherein the first memoryfurther includes a mapping of each meter to security credentials ofindividual users.
 3. The system of claim 1, wherein the communicationdevice of each meter is configured to pull the security configurationfrom the security server without the security server knowing the networkaddress of the meter.
 4. The system of claim 1, wherein the notificationis broadcast as a UDP (user datagram protocol) message to the pluralityof meters.
 5. The system of claim 1, wherein the security configurationfor each meter includes a device profile for the meter, the deviceprofile including security and non-security parameters.
 6. The system ofclaim 5, wherein the device profile is configured via a LightweightDirectory Access Protocol (LDAP) setting profile of the meter.
 7. Thesystem of claim 1, wherein the security configuration is a single listof user credentials applicable to each meter.
 8. The system of claim 7,wherein the list identifies which specific meter of the plurality ofmeters a specific user has access to.
 9. The system of claim 1, whereinthe security configuration includes a plurality of users arranged in atleast one group, access permissions to the plurality of meters beingbased on the at least one group.
 10. The system of claim 9, wherein theat least one groups is configured via Windows Active Directories andfeatures of the meter are managed as Active Directory objects.
 11. Thesystem of claim 1, wherein the communication device transmits a securityevent to the security server for storage in a log.
 12. A systemcomprising: a network for coupling devices and enabling the transmissionof data between the devices; at least one security server coupled to thenetwork including a first memory, the first memory configured to storesecurity configurations for a plurality of meters; and the plurality ofmeters, each meter of the plurality of meters including: a communicationdevice for coupling the meter to the network and receiving the securityconfiguration for the meter, and a second memory for storing thesecurity configuration in a local database, wherein the communicationdevice transmits a security event to the security server for storage ina log and the security event is transmitted via a Lightweight DirectoryAccess Protocol (LDAP).
 13. The system of claim 12, wherein the log isfed into a security information and event management (SIEM) system foranalysis, wherein the SIEM system generates an alert based on at leastone of when a specified event is detected, a threshold of eventoccurrences has been exceeded and/or a combination of events hasoccurred.
 14. The system of claim 12, wherein the log is fed into anintrusion detection system (IDS) for analysis, wherein the IDS systemgenerates an alert based events indicative of an intrusion by anattacker.
 15. An electric power meter comprising: at least one sensorcoupled an electrical power distribution system, the at least one sensorconfigured to measure at least one parameter of the electrical powerdistribution system and generate at least one analog signal indicativeof the at least one parameter; at least one analog-to-digital converterconfigured to receive the at least one analog signal and convert the atleast one analog signal to at least one digital signal; at least oneprocessor configured to receive the at least one digital signal andcalculate at least one power parameter of the electrical powerdistribution system; and a communication device for coupling the meterto a network, querying a security server for user credentials upon auser attempting to log into the meter and retrieving the usercredentials, wherein the at least one processor compares the retrieveduser credentials to credentials used in the log in attempt to grantaccess to the meter, wherein the at least one processor transmits asecurity event to the security server for storage in a log and whereinthe security event is transmitted via a Lightweight Directory AccessProtocol (LDAP).
 16. The meter of claim 15, wherein the at least oneprocessor caches the retrieved user credentials in a memory of the meterand requeries the security server upon the retrieved user credentialsexpiring.
 17. The meter of claim 16, wherein the at least one processorlimits the number of user credentials stored in the memory.
 18. A systemcomprising: a network for coupling devices and enabling the transmissionof data between the devices; at least one security server coupled to thenetwork including a first memory, the first memory configured to storesecurity configurations for a plurality of meters; and the plurality ofmeters, each meter of the plurality of meters including: a communicationdevice for coupling the meter to the network and receiving the securityconfiguration for the meter, and a second memory for storing thesecurity configuration in a local database, wherein the security serversends a notification to each meter when a security configuration haschanges and the meter pulls the changed security configuration afterreceiving the notification, the notification being broadcast as a UDP(user datagram protocol) message to the plurality of meters.
 19. Asystem comprising: a network for coupling devices and enabling thetransmission of data between the devices; at least one security servercoupled to the network including a first memory, the first memoryconfigured to store security configurations for a plurality of meters;and the plurality of meters, each meter of the plurality of metersincluding: a communication device for coupling the meter to the networkand receiving the security configuration for the meter, and a secondmemory for storing the security configuration in a local database,wherein the security configuration for each meter includes a deviceprofile for the meter, the device profile including security andnon-security parameters, and wherein the device profile is configuredvia a Lightweight Directory Access Protocol (LDAP) setting profile ofthe meter.
 20. A system comprising: a network for coupling devices andenabling the transmission of data between the devices; at least onesecurity server coupled to the network including a first memory, thefirst memory configured to store security configurations for a pluralityof meters; and the plurality of meters, each meter of the plurality ofmeters including: a communication device for coupling the meter to thenetwork and receiving the security configuration for the meter, and asecond memory for storing the security configuration in a localdatabase, wherein the security configuration includes a plurality ofusers arranged in at least one group, access permissions to theplurality of meters being based on the at least one group, and whereinthe at least one groups is configured via Windows Active Directories andfeatures of the meter are managed as Active Directory objects.
 21. Thesystem of claim 1, wherein the plurality of meters includes at least oneof a socket/S-base meter, a panel meter, a switchboard/draw-out meterand/or a A-base meter.
 22. The system of claim 12, wherein the pluralityof meters includes at least one of a socket/S-base meter, a panel meter,a switchboard/draw-out meter and/or a A-base meter.
 23. The system ofclaim 18, wherein the plurality of meters includes at least one of asocket/S-base meter, a panel meter, a switchboard/draw-out meter and/ora A-base meter.
 24. The system of claim 19, wherein the plurality ofmeters includes at least one of a socket/S-base meter, a panel meter, aswitchboard/draw-out meter and/or a A-base meter.
 25. The system ofclaim 20, wherein the plurality of meters includes at least one of asocket/S-base meter, a panel meter, a switchboard/draw-out meter and/ora A-base meter.